Collaborative Security Mechanism in Detecting Intrusion Activity.
The 2nd International Conference on Engineering and ICT , February 2010, Melaka, Malaysia
Collaborative Security Mechanism in Detecting
Intrusion Activity
Faizal M. A., Mohd Zaki M, Shahrin S., Siti Rahayu S., Robiah Y.
Faculty of Information Technology and Communication
Univeristi Teknikal Malaysia Melaka,
Durian Tunggal, Melaka,
Malaysia
faizalabdollah@utem.edu.my, zaki.masud@utem.edu.my, shahrinsahib@utem.edu.my, sitirahayu@utem.edu.my,
robiah@utem.edu.my
Abstract-The rapidly increasing array of Internet-scale
threats is a pressing problem for every organization that
utilizes the network. Organizations often have limited
knowledge as well as capability to detect and respond to
these threats. The sharing of information related to
probes and attacks is a facet of an emerging trend
toward ‘’collaborative security’’. Collaborative security
mechanism provide network administrator with a
valuable tool in this increasingly hostile environment.
This research paper proposed a new Collaborative
Security Model which incorporated existing mechanism
such as prevention by using firewall or any network
devices, detection by using Intrusion Detection System
(IDS), response by correlating any log files gathered
from multiple devices and forensic which tracing the
activity of the intrusion. The model integrates and
compensates the advantages and disadvantages of each
mechanism in order to create a strong defensive model
for the network infrastructure.
Index
Terms-Collabrative
Detection, Forensic
I.
security,
Prevention,
INTRODUCTION
In recent years, the Internet and networks has seen a
great increase in its role in the society especially the
government and business sector. During these times, we
also witness more sophisticated attack launched by
intruders, these might be motivated by financial and
political objectives. The types of attacks are generated using
tools and exploit scripts which are freely available on the
internet and widely used by novice malicious users to
launch an attack inside the network. Mc Hugh also provide
further evidence by stating that “anyone can attack Internet
site using readily made available intrusion tools and exploit
script that capitalize on widely known vulnerabilities [1].
Therefore the increase in the number of the exploit tools
may have influenced the number of novice attackers inside
the internet as shown in Figure 1.
This can be shown from the report generated by
Cybersecurity, Malaysia [2] in which there is a significant
impact to the number of reported incidence due to security
breaches as depicted in figure 2. Therefore in ensuring the
network security, a strong mechanism that provides
confidentially, integrity and availability should be deploy to
protect the network infrastructure [3].
Nowadays, there is several security tools available on
the market, in which can be used to strengthen the
defensive mechanism of the network. Despite of the
promises given by the security tools it is still not enough
to depend solely on one specific tool as it will not enough to
do all the security control mechanism at once. In order to
achieve an effective security control in protecting the
network, a defensive mechanism should support the
preventive, detective and responsive countermeasures [3].
In fulfilling this matter, a network administrator can counter
the intrusion problem and help them to look for known and
potential threats in the network traffic and/or audit data
recorded by the host by simply referring to one device.
Therefore, this paper will propose collaborative
security model that can help to increase the security
mechanism inside the network. The collaborative security
model can be used as guidelines in real environment to seek
the best security architecture for the organization. The
sharing of information related to probes and attacks is a
facet of an emerging trend toward ‘’collaborative security’’.
Collaborative security mechanism provide network
administrator with a valuable tool in this increasingly
hostile environment.
The collaborative security model is focuses on the
security control which are prevention, detection and
response. This paper also propose a new element in the
security control mechanism which the forensic element.
Recognizing the real intruder inside the organization may
help to reduce the possibilities of losses. At the same time
increase the collaborative security mechanism for each of
the devices such as intrusion detection system, log
generation from multiple devices and rules for filtering as
the first defenses of the network.
The 2nd International Conference on Engineering and ICT , February 2010, Melaka, Malaysia
This paper is organized as follows. Section 2 discusses
about the proposed collaborative security model in general.
The detail explanation of the proposed model is defined in
Section 3. Finally, Section 4 presents the conclusion and
possible future extension of the work.
Fig. 1. Trend of exploit script
Fig. 2. Incident Statistic on Quarter 3 and Quarter 4 in 2007
II.
COLLABORATIVE SECURITY MODEL
The collaborative security model is based on the
security control mechanism as proposed in [3]. The actual
security control only adapted prevention, response and
detection as an element to protect the organization from
intrusion or any malicious activity. It is not sufficient if
considering only one element in the defense
countermeasure because each of them has their own
weaknesses. In Prevention, the devices need an input on the
malicious activity to be prevented and this input can only be
supplied by the Detection element. The response element is
generated by multiple devices and used as an audit trail to
investigate the activity in the network. The log generated by
these devices is in different format thus there is a difficulty
in correlating the information. Whereas the information
gathered from the response element will be no used if there
is no action taken in responds to the information gathered.
This is where the forensic element takes its responsibility in
which it help the administrator to trace the event from the
data gathered in the previous elements. Hence the forensic
element can be feedback as an input to the first and second
element of the Collaborative Security Model. The complete
proposal of the Collaborative Security Model is illustrated
in figure 3.
Prevention
Detection
Response
Forensic
The 2nd International Conference on Engineering and ICT , February 2010, Melaka, Malaysia
Fig. 3. Collaborative Security Mechanism
IDS have the capabilities to analyze the network traffic
and recognize incoming and on-going intrusion.
Unfortunately the combination of fast attack and slow
attack detection module for anomaly detection in real time
may slow down the detection process. In real time network,
early detection of fast attack detection can prevent any
further attack and reduce the unauthorized access on the
targeted machine. Although fast attack detection increased
the accuracy of detection but IDS still need further
improvement in order to reduce the fast alarm. Therefore,
correlating data among different logs to improve intrusion
detection systems accuracy is needed. The existing alert
correlation techniques had been reviewed and analyzed
which are similarities based, Predefined Attack Scenarios,
Pre-Requisites and Consequence of Individual Attack and
Statistical Causal Analysis Technique. From the analysis,
six capability criteria have been identified to improve the
current alert correlation technique. They are capability to do
alert reduction, alert clustering, identify multistep attack,
reduce false alert, detect known attack and detect unknown
attack. Therefore, the comparison of various techniques
needs to be analyzed to find the most suitable log
correlation technique for detecting the attackers. The
accurate log generated by IDS using fast attack and alert
correlation technique can further use as a source of
evidence for forensic investigation in order to trace the
origin of potential attack. Details on each element will be
discussed in detail in the next section.
III.
[5]. Generating new rules need a deep knowledge and skills
from administrator. However, not many administrators have
such deep knowledge and skills to generate new signature
[6].
Meanwhile, in anomaly based approach, the intruder
detection attempts to model the expected behavior of
objects (users, processes, network hosts and the like). Any
action that does not correspond to expectation is considered
suspicious. The strength of these methods lies in their
ability to differentiate normal user behavior, anomalous
acceptable behavior, and intrusive behavior [5]. The
anomaly based detection has difficulties to determine the
threshold value by which behavior must deviate from a
profile in order to be considered as possible attack [7], [8],
and [9].
Consecutively, to improve the detection process in the
Collaborative Security Element a new detection method by
segregating anomaly module into two different modules
which are fast attack module and slow attack module is
introduced [10], [11], and [12]. The capability of each
module may contribute to the effectiveness of the proposed
model.
B.
In improving the response element in the proposed
Collaborative Security model a new alert correlation
techniques were developed in order to improve the
correlation issues. The proposed criterion analyzed [13] is
according to the capability criteria as listed below:
1. Capability to do alert reduction
2. Capability to do alert clustering
3. Capability to identify multi-step attack.
4. Capability to reduce false alert.
5. Capability to detect known attack
6. Capability to detect unknown attack
COLLABORATIVE SECURITY ELEMENT
This section introduces and discussed the Collaborative
Security element in details. The comparison of the existing
control security mechanism and the proposed Collaborative
Security is introduced in this section.
A. Prevention and Detection
The detection method used by the network intrusion
detection system can be classified as anomaly based system
and signature based system. Both of these detection
methods are used by the intrusion detection system which,
have their own drawback in detecting the intrusion activity.
Signature based NIDS have a major drawback in
identifying the new intruder in the network. It is because
signatures based NIDS depend on the intrusion pattern that
have been declared inside a database of the intrusion
detection system. If there is a new attack inside the network
and the signature of the new attack has not been stated
inside the database, thus the system will not be able to
detect this new attack [4]. This problem arises because
signature based network intrusion detection system relies
on sets of predefined rules that are provided by
administrator, automatically created by the system, or both
Response
Alert reduction is required in order to overcome
the problem of alert flooding or large amount of alert data
generated by multiple devices. This capability is to reduce
troubleshooting process especially when analyzing the
exact attacker in the environment. The second criteria is the
alert clustering in which it can cluster multiple related alerts
and at the same time reduce the number of alert by ignoring
the similar alert generated by different sensors.
The third criterion is capable to detect multi-step attack
as the attacker behavior nowadays is becoming more
sophisticated. For fourth criteria have the capability to
reduce false alarm as this false alarm reduction criterion is
important as it closely related to alert flooding issue. The
fifth and sixth criterion can detect both known and
unknown attack as it is required to ensure that the alert
generated will overcome the issue of alert flooding and
false alert.
C.
Forensic
The 2nd International Conference on Engineering and ICT , February 2010, Melaka, Malaysia
[1] McHugh J., Christie A., Allen J. 2000. “Defending Yourself:
In the Forensic element, the model proposed a new
tracing technique which is illustrated in figure 4. It consists
of three elements: victim, attacker and IDS [14]. For the
victim it consist of Victim tracing algorithm which analyze
the victim personal firewall, security log, system log and
application log from the correlation log derived from the
previous element. The same algorithm is applied to the
attacker machine in order the true attacker. The alert
generated from the detection element also becomes an input
to this process. As a result the integration between all this
elements may produce accurate information about the
attacker and can be used as an input to the prevention
element.
The Role of Intrusion Detection System”. Proceeding of IEEE,
Software, 2000.
[2] CyberSecurity Malaysia. “E-Security Volume 13-(Q4/2007)”.
Technical Report for e-Security, CyberSecurity Malaysia, MOSTI,
2007.
[3] Mark Merkow and Jim Breithaupt. Information
Security
Principal and Practice. Pearson Prentice Hall, New Jersey, USA.
[4] Kingsly Leung & Christopher Leckie. “Unsupervised Anomaly
Detection in Network Intrusion Detection Using Cluster”. In
Proceeding of 28th Australian Computer Science Conference,
2005.
[5] James Cannady. “Artificial Neural Network for Misuse
Detection”. In Proceeding of National Information System
Security, 1998.
[6] Koike, H. & Ohno, H. “Snortview:Visualization System of
Snort Logs”. In Proceeding of ACM VizSEC/DMSEC’04, 2004
[7] Chris Herringshaw. “Detecting Attack on Networks”. IEEE
Industry Trends. 2004
[8] Roberson, S., Sigel, V.E., Miller, M & Stolfo, J.S.
”Surveillance Detection in High Bandwidth Environment.” In
Proceeding of the DARPA Information Survivability Conference
and Exposition (DISCEX’03), IEEE, 2003.
[9] Xin, W.J, Ying, W.Z. & Kui, D. “A Network Intrusion
Detection System Based on the Artificial Neural Networks.” In
Proceeding of the 3rd International Conference on InforSecu04,
ACM, China, 2004
[10] Faizal M. A., Mohd Zaki M., Shahrin S., Robiah Y, Siti
Rahayu S., Nazrulazhar B. “Threshold Verification Technique for
Network Intrusion Detection System.” International Journal of
Fig. 4. Proposed Tracing Technique
IV.
CONCLUSION AND FUTURE WORK
In this study the researcher has proposed a new model
for Collaborative Security which integrates the existing
security control mechanism and adding a new element
which can improve the current implementation of network
security countermeasures. Each element has been reviewed
and added with a new technique that can improve the
existing defensive method which eliminates the current
weaknesses. Currently the research group is in the process
of integrating each element into one integrated system and
in the future will evaluate and asses the proposed model in
the real network environment.
REFERENCES
Computer Science and Information Security, Vol 2, No. 1, 2009,
ISSN 1947-5500, USA, 2009
[11] Faizal MA., Asrul HY., Shahrin S. “An Earlier Detection
Framework for Network Intrusion Detection System”. In
Proceeding of the Second International Conference on Advances
in Information Technology, Bangkok, 1 – 2 November 2007.
[12] Shahrin S., Faizal MA., Asrul HY. “Toward Early Detection
of Network Intrusion”. In Proceeding of Information Technology
and National Security Conference, Riyard, 1-4 December 2007,
Saudi Arabia.
[13] Robiah Yusof,
Siti Rahayu Selamat,
Shahrin Sahib.
”
Intrusion Alert Correlation Technique Analysis for Heterogeneous
Log”. International Journal of Computer Science and Network
Security, Vol 8, No. 9, pp 132-138, 2008.
[14] Siti Rahayu S., Robiah Y., Shahrin S., Faizal M. A., Mohd
Zaki M, Irda R. “Tracing Technique for Blaster Attack.”.
The 2nd International Conference on Engineering and ICT , February 2010, Melaka, Malaysia
International Journal of Computer Science and Information
Security, Vol 4, No 1, pp 1-8, 2009.
Collaborative Security Mechanism in Detecting
Intrusion Activity
Faizal M. A., Mohd Zaki M, Shahrin S., Siti Rahayu S., Robiah Y.
Faculty of Information Technology and Communication
Univeristi Teknikal Malaysia Melaka,
Durian Tunggal, Melaka,
Malaysia
faizalabdollah@utem.edu.my, zaki.masud@utem.edu.my, shahrinsahib@utem.edu.my, sitirahayu@utem.edu.my,
robiah@utem.edu.my
Abstract-The rapidly increasing array of Internet-scale
threats is a pressing problem for every organization that
utilizes the network. Organizations often have limited
knowledge as well as capability to detect and respond to
these threats. The sharing of information related to
probes and attacks is a facet of an emerging trend
toward ‘’collaborative security’’. Collaborative security
mechanism provide network administrator with a
valuable tool in this increasingly hostile environment.
This research paper proposed a new Collaborative
Security Model which incorporated existing mechanism
such as prevention by using firewall or any network
devices, detection by using Intrusion Detection System
(IDS), response by correlating any log files gathered
from multiple devices and forensic which tracing the
activity of the intrusion. The model integrates and
compensates the advantages and disadvantages of each
mechanism in order to create a strong defensive model
for the network infrastructure.
Index
Terms-Collabrative
Detection, Forensic
I.
security,
Prevention,
INTRODUCTION
In recent years, the Internet and networks has seen a
great increase in its role in the society especially the
government and business sector. During these times, we
also witness more sophisticated attack launched by
intruders, these might be motivated by financial and
political objectives. The types of attacks are generated using
tools and exploit scripts which are freely available on the
internet and widely used by novice malicious users to
launch an attack inside the network. Mc Hugh also provide
further evidence by stating that “anyone can attack Internet
site using readily made available intrusion tools and exploit
script that capitalize on widely known vulnerabilities [1].
Therefore the increase in the number of the exploit tools
may have influenced the number of novice attackers inside
the internet as shown in Figure 1.
This can be shown from the report generated by
Cybersecurity, Malaysia [2] in which there is a significant
impact to the number of reported incidence due to security
breaches as depicted in figure 2. Therefore in ensuring the
network security, a strong mechanism that provides
confidentially, integrity and availability should be deploy to
protect the network infrastructure [3].
Nowadays, there is several security tools available on
the market, in which can be used to strengthen the
defensive mechanism of the network. Despite of the
promises given by the security tools it is still not enough
to depend solely on one specific tool as it will not enough to
do all the security control mechanism at once. In order to
achieve an effective security control in protecting the
network, a defensive mechanism should support the
preventive, detective and responsive countermeasures [3].
In fulfilling this matter, a network administrator can counter
the intrusion problem and help them to look for known and
potential threats in the network traffic and/or audit data
recorded by the host by simply referring to one device.
Therefore, this paper will propose collaborative
security model that can help to increase the security
mechanism inside the network. The collaborative security
model can be used as guidelines in real environment to seek
the best security architecture for the organization. The
sharing of information related to probes and attacks is a
facet of an emerging trend toward ‘’collaborative security’’.
Collaborative security mechanism provide network
administrator with a valuable tool in this increasingly
hostile environment.
The collaborative security model is focuses on the
security control which are prevention, detection and
response. This paper also propose a new element in the
security control mechanism which the forensic element.
Recognizing the real intruder inside the organization may
help to reduce the possibilities of losses. At the same time
increase the collaborative security mechanism for each of
the devices such as intrusion detection system, log
generation from multiple devices and rules for filtering as
the first defenses of the network.
The 2nd International Conference on Engineering and ICT , February 2010, Melaka, Malaysia
This paper is organized as follows. Section 2 discusses
about the proposed collaborative security model in general.
The detail explanation of the proposed model is defined in
Section 3. Finally, Section 4 presents the conclusion and
possible future extension of the work.
Fig. 1. Trend of exploit script
Fig. 2. Incident Statistic on Quarter 3 and Quarter 4 in 2007
II.
COLLABORATIVE SECURITY MODEL
The collaborative security model is based on the
security control mechanism as proposed in [3]. The actual
security control only adapted prevention, response and
detection as an element to protect the organization from
intrusion or any malicious activity. It is not sufficient if
considering only one element in the defense
countermeasure because each of them has their own
weaknesses. In Prevention, the devices need an input on the
malicious activity to be prevented and this input can only be
supplied by the Detection element. The response element is
generated by multiple devices and used as an audit trail to
investigate the activity in the network. The log generated by
these devices is in different format thus there is a difficulty
in correlating the information. Whereas the information
gathered from the response element will be no used if there
is no action taken in responds to the information gathered.
This is where the forensic element takes its responsibility in
which it help the administrator to trace the event from the
data gathered in the previous elements. Hence the forensic
element can be feedback as an input to the first and second
element of the Collaborative Security Model. The complete
proposal of the Collaborative Security Model is illustrated
in figure 3.
Prevention
Detection
Response
Forensic
The 2nd International Conference on Engineering and ICT , February 2010, Melaka, Malaysia
Fig. 3. Collaborative Security Mechanism
IDS have the capabilities to analyze the network traffic
and recognize incoming and on-going intrusion.
Unfortunately the combination of fast attack and slow
attack detection module for anomaly detection in real time
may slow down the detection process. In real time network,
early detection of fast attack detection can prevent any
further attack and reduce the unauthorized access on the
targeted machine. Although fast attack detection increased
the accuracy of detection but IDS still need further
improvement in order to reduce the fast alarm. Therefore,
correlating data among different logs to improve intrusion
detection systems accuracy is needed. The existing alert
correlation techniques had been reviewed and analyzed
which are similarities based, Predefined Attack Scenarios,
Pre-Requisites and Consequence of Individual Attack and
Statistical Causal Analysis Technique. From the analysis,
six capability criteria have been identified to improve the
current alert correlation technique. They are capability to do
alert reduction, alert clustering, identify multistep attack,
reduce false alert, detect known attack and detect unknown
attack. Therefore, the comparison of various techniques
needs to be analyzed to find the most suitable log
correlation technique for detecting the attackers. The
accurate log generated by IDS using fast attack and alert
correlation technique can further use as a source of
evidence for forensic investigation in order to trace the
origin of potential attack. Details on each element will be
discussed in detail in the next section.
III.
[5]. Generating new rules need a deep knowledge and skills
from administrator. However, not many administrators have
such deep knowledge and skills to generate new signature
[6].
Meanwhile, in anomaly based approach, the intruder
detection attempts to model the expected behavior of
objects (users, processes, network hosts and the like). Any
action that does not correspond to expectation is considered
suspicious. The strength of these methods lies in their
ability to differentiate normal user behavior, anomalous
acceptable behavior, and intrusive behavior [5]. The
anomaly based detection has difficulties to determine the
threshold value by which behavior must deviate from a
profile in order to be considered as possible attack [7], [8],
and [9].
Consecutively, to improve the detection process in the
Collaborative Security Element a new detection method by
segregating anomaly module into two different modules
which are fast attack module and slow attack module is
introduced [10], [11], and [12]. The capability of each
module may contribute to the effectiveness of the proposed
model.
B.
In improving the response element in the proposed
Collaborative Security model a new alert correlation
techniques were developed in order to improve the
correlation issues. The proposed criterion analyzed [13] is
according to the capability criteria as listed below:
1. Capability to do alert reduction
2. Capability to do alert clustering
3. Capability to identify multi-step attack.
4. Capability to reduce false alert.
5. Capability to detect known attack
6. Capability to detect unknown attack
COLLABORATIVE SECURITY ELEMENT
This section introduces and discussed the Collaborative
Security element in details. The comparison of the existing
control security mechanism and the proposed Collaborative
Security is introduced in this section.
A. Prevention and Detection
The detection method used by the network intrusion
detection system can be classified as anomaly based system
and signature based system. Both of these detection
methods are used by the intrusion detection system which,
have their own drawback in detecting the intrusion activity.
Signature based NIDS have a major drawback in
identifying the new intruder in the network. It is because
signatures based NIDS depend on the intrusion pattern that
have been declared inside a database of the intrusion
detection system. If there is a new attack inside the network
and the signature of the new attack has not been stated
inside the database, thus the system will not be able to
detect this new attack [4]. This problem arises because
signature based network intrusion detection system relies
on sets of predefined rules that are provided by
administrator, automatically created by the system, or both
Response
Alert reduction is required in order to overcome
the problem of alert flooding or large amount of alert data
generated by multiple devices. This capability is to reduce
troubleshooting process especially when analyzing the
exact attacker in the environment. The second criteria is the
alert clustering in which it can cluster multiple related alerts
and at the same time reduce the number of alert by ignoring
the similar alert generated by different sensors.
The third criterion is capable to detect multi-step attack
as the attacker behavior nowadays is becoming more
sophisticated. For fourth criteria have the capability to
reduce false alarm as this false alarm reduction criterion is
important as it closely related to alert flooding issue. The
fifth and sixth criterion can detect both known and
unknown attack as it is required to ensure that the alert
generated will overcome the issue of alert flooding and
false alert.
C.
Forensic
The 2nd International Conference on Engineering and ICT , February 2010, Melaka, Malaysia
[1] McHugh J., Christie A., Allen J. 2000. “Defending Yourself:
In the Forensic element, the model proposed a new
tracing technique which is illustrated in figure 4. It consists
of three elements: victim, attacker and IDS [14]. For the
victim it consist of Victim tracing algorithm which analyze
the victim personal firewall, security log, system log and
application log from the correlation log derived from the
previous element. The same algorithm is applied to the
attacker machine in order the true attacker. The alert
generated from the detection element also becomes an input
to this process. As a result the integration between all this
elements may produce accurate information about the
attacker and can be used as an input to the prevention
element.
The Role of Intrusion Detection System”. Proceeding of IEEE,
Software, 2000.
[2] CyberSecurity Malaysia. “E-Security Volume 13-(Q4/2007)”.
Technical Report for e-Security, CyberSecurity Malaysia, MOSTI,
2007.
[3] Mark Merkow and Jim Breithaupt. Information
Security
Principal and Practice. Pearson Prentice Hall, New Jersey, USA.
[4] Kingsly Leung & Christopher Leckie. “Unsupervised Anomaly
Detection in Network Intrusion Detection Using Cluster”. In
Proceeding of 28th Australian Computer Science Conference,
2005.
[5] James Cannady. “Artificial Neural Network for Misuse
Detection”. In Proceeding of National Information System
Security, 1998.
[6] Koike, H. & Ohno, H. “Snortview:Visualization System of
Snort Logs”. In Proceeding of ACM VizSEC/DMSEC’04, 2004
[7] Chris Herringshaw. “Detecting Attack on Networks”. IEEE
Industry Trends. 2004
[8] Roberson, S., Sigel, V.E., Miller, M & Stolfo, J.S.
”Surveillance Detection in High Bandwidth Environment.” In
Proceeding of the DARPA Information Survivability Conference
and Exposition (DISCEX’03), IEEE, 2003.
[9] Xin, W.J, Ying, W.Z. & Kui, D. “A Network Intrusion
Detection System Based on the Artificial Neural Networks.” In
Proceeding of the 3rd International Conference on InforSecu04,
ACM, China, 2004
[10] Faizal M. A., Mohd Zaki M., Shahrin S., Robiah Y, Siti
Rahayu S., Nazrulazhar B. “Threshold Verification Technique for
Network Intrusion Detection System.” International Journal of
Fig. 4. Proposed Tracing Technique
IV.
CONCLUSION AND FUTURE WORK
In this study the researcher has proposed a new model
for Collaborative Security which integrates the existing
security control mechanism and adding a new element
which can improve the current implementation of network
security countermeasures. Each element has been reviewed
and added with a new technique that can improve the
existing defensive method which eliminates the current
weaknesses. Currently the research group is in the process
of integrating each element into one integrated system and
in the future will evaluate and asses the proposed model in
the real network environment.
REFERENCES
Computer Science and Information Security, Vol 2, No. 1, 2009,
ISSN 1947-5500, USA, 2009
[11] Faizal MA., Asrul HY., Shahrin S. “An Earlier Detection
Framework for Network Intrusion Detection System”. In
Proceeding of the Second International Conference on Advances
in Information Technology, Bangkok, 1 – 2 November 2007.
[12] Shahrin S., Faizal MA., Asrul HY. “Toward Early Detection
of Network Intrusion”. In Proceeding of Information Technology
and National Security Conference, Riyard, 1-4 December 2007,
Saudi Arabia.
[13] Robiah Yusof,
Siti Rahayu Selamat,
Shahrin Sahib.
”
Intrusion Alert Correlation Technique Analysis for Heterogeneous
Log”. International Journal of Computer Science and Network
Security, Vol 8, No. 9, pp 132-138, 2008.
[14] Siti Rahayu S., Robiah Y., Shahrin S., Faizal M. A., Mohd
Zaki M, Irda R. “Tracing Technique for Blaster Attack.”.
The 2nd International Conference on Engineering and ICT , February 2010, Melaka, Malaysia
International Journal of Computer Science and Information
Security, Vol 4, No 1, pp 1-8, 2009.